Letsencrypt completly stopped working (URGENT HELP NEEDED)

jl2035 · May 19, 2020, 7:58pm

My domain is: I have many, but one example is “iskrena.si”

I ran this command: letsencrypt certonly -d iskrena.si --nginx
Also tried “letsencrypt renew”

It produced this output:
OpenSSL.crypto.Error: [(‘PEM routines’, ‘get_name’, ‘no start line’)]

In case of “letsencrypt renew” it produced the following:
Attempting to renew cert (iskrena.si) from /etc/letsencrypt/renewal/iskrena.si.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.

My web server is (include version):
nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.4 LTS

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

letsencrypt --version

certbot 0.27.0

rg305 · May 19, 2020, 7:59pm

Please show this file:

jl2035 · May 19, 2020, 8:02pm

$ cat /etc/letsencrypt/renewal/iskrena.si.conf
# renew_before_expiry = 30 days
version = 0.27.0
archive_dir = /etc/letsencrypt/archive/iskrena.si
cert = /etc/letsencrypt/live/iskrena.si/cert.pem
privkey = /etc/letsencrypt/live/iskrena.si/privkey.pem
chain = /etc/letsencrypt/live/iskrena.si/chain.pem
fullchain = /etc/letsencrypt/live/iskrena.si/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 9662099d14a9acee553f92652bd0972d
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory

rg305 · May 19, 2020, 8:04pm

There is your problem:

When you last renewed you used --standalone
For that to work, you would have to stop nginx first.

That is NOT the ideal setup.
Maybe after you get over this URGENCY, we can talk about a better way to automate your renewals.
[FYI you have 9 days left on the current cert]

jl2035 · May 19, 2020, 8:12pm

Yes I first used standalone and later switched to nginx plugin. Apparently this somehow messed up the configuration. So am I allowed to modify this file?

I realized this problem few days ago and I’m getting worried, but you’re right, 9 days should be enough time

rg305 · May 19, 2020, 8:17pm

Yes, but it is simpler to let certbot / letsencrypt make all the modifications for you.
Try:
letsencrypt renew --nginx

jl2035 · May 19, 2020, 8:29pm

Whoah! Running “letsencrypt renew --nginx” fixed everything.

This was the fastest and most effective help I ever got! Thank you!

rg305 · May 19, 2020, 8:48pm

Going forward, you should only need to do letsencrypt renew
And it should be automated to run at least once a day.

Then you also need to consider the restarting/reloading of nginx once the cert has been renewed.
Which can also be included in the automation process.

danonanon · May 19, 2020, 8:50pm

I understood right if you install certificate stopping nginx and using the commands:
certbot certonly --standalone
and
certbot renew --dry-run

Then it’s gonna be renew only when you stop nginx? The second command looks obscene then, however, like the first. Need to look for other ways then.

rg305 · May 19, 2020, 8:53pm

Yes, if nginx was stopped when you got the last cert, then it needs to be stopped to get the new one.

jl2035 · May 20, 2020, 3:32pm

Maybe this helps… when I was using standalone my cron command looked like this:

service nginx stop && letsencrypt renew ; service nginx start

If you are not using standalone, then according to @rg305 it should be something like this:

letsencrypt renew --nginx ; service nginx reload

I’m not sure, but maybe you can even remove the --nginx switch in this case.

rg305 · May 20, 2020, 5:42pm

Yes, once a cert has been obtained, all the settings used are retained in the renewal conf file.
So you would only need to add something like --nginx when you want to force a change to the previously set default for that cert. Otherwise, only renew is "required".
~~But perhaps even just "letsencrypt" alone would default to check for renewals.~~

schoen · May 20, 2020, 9:04pm

Preferable to that is

certbot certonly -a standalone --pre-hook "service nginx stop" --post-hook "service nginx start"

In that case, certbot renew will automatically stop and start nginx for you—only on those occasions when it attempts a renewal, and not other times. Then it's fine to run certbot renew once or twice a day and not expect any downtime except for the actual renewal attempts.

system · June 19, 2020, 9:04pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.